ScraperAPI Global Access
Security checks across malware telemetry and agentic risk
Overview
This looks like a generic global website-testing tool, but its scripts embed a ScraperAPI key and send proxy/analytics visits to a fixed site instead of the user-provided URL.
Do not use this skill until the hardcoded API key is removed, the documented URL and credential controls are actually implemented, and the tool clearly confirms the target site before making proxy requests. Only run analytics-triggering or multi-country scraping against sites you own or are explicitly authorized to test.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use or expose a ScraperAPI account key the user did not supply; the key could be abused, revoked, or intercepted, and quota/billing ownership is unclear.
A ScraperAPI credential is embedded in executable code and sent to the provider endpoint over plain HTTP, while the registry metadata declares no primary credential or required environment variable.
const SCRAPER_API_KEY = 'fd18228...35667'; ... axios.get('http://api.scraperapi.com', { params, timeout: 90000 })Remove the hardcoded key, declare SCRAPER_API_KEY as a required credential, read it from the user's environment or config, and use HTTPS for provider calls.
A user may think they are testing their own chosen site, but running the script can generate traffic to faceswap.cool instead.
The executable code forces requests to a fixed website, despite the user-facing instructions advertising commands with a user-supplied --url such as https://example.com.
const BASE_URL = 'https://faceswap.cool'; ... const fullUrl = BASE_URL + page;
Implement and validate the documented --url parameter, show the resolved target before running, and require confirmation for any external traffic generation.
If used without authorization, this can create artificial analytics traffic and may violate website or provider policies; in this package the destination is fixed rather than clearly user-controlled.
The script intentionally performs JS-rendered proxy visits with randomized sessions and frames success as appearing in Google Analytics.
render: true, // ✅ 开启 JS 渲染 session_number: Math.floor(Math.random() * 10000) // 模拟不同会话 console.log(`✅ 成功访问(已执行 JS,GA 应该能看到)`);
Require explicit target ownership or authorization, add rate limits and dry-run previews, and disable analytics-triggering simulations unless the user deliberately opts in.
Some documented commands may fail or may not correspond to reviewed code.
The documentation references helper scripts that are not present in the provided file manifest, making the packaged skill incomplete or inconsistent.
node scripts/single_visit.js --url https://example.com --country us ... node scripts/performance_monitor.js --url https://example.com --interval 3600
Publish the complete referenced files or remove the unavailable commands from the documentation.